b'                                                               IG-00-024\n\n\n\n\nAUDIT\n                           UNIX OPERATING SYSTEM SECURITY AND\nREPORT                      INTEGRITY [WTIHHELD PER EXEMPTION\n                                         (B)(5)] AT\n                              GODDARD SPACE FLIGHT CENTER\n                                              March 29, 2000\n\n\n\n\n                           [Withheld per exemption (b)(5)]\n\n\n\n\n                           OFFICE OF INSPECTOR GENERAL\n\nNational Aeronautics and\nSpace Administration\n\x0cAdditional Copies\n\nTo obtain additional copies of this report, contact the Assistant Inspector General for Auditing at\n(202) 358-1232, or visit www.hq.nasa.gov/office/oig/hq/issuedaudits.html.\n\nSuggestions for Future Audits\n\nTo suggest ideas for or to request future audits, contact the Assistant Inspector General for\nAuditing. Ideas and requests can also be mailed to:\n\n    Assistant Inspector General for Auditing\n    NASA Headquarters\n    Code W, Room 8V69\n    300 E Street, SW\n    Washington, DC 20546-0001\n\nNASA Hotline\n\nTo report fraud, waste, abuse, or mismanagement, contact the NASA OIG Hotline at\n(800) 424-9183, (800) 535-8134 (TDD), or at\nwww.hq.nasa.gov/office/oig/hq/hotline.html#form; or write to the NASA Inspector General,\nP.O. Box 23089, L\'Enfant Plaza Station, Washington, DC 20026. The identity of each writer and\ncaller can be kept confidential, upon request, to the extent permitted by law.\n\nPlease complete the reader survey at the end of this report or at\nhttp://www.hq.nasa.gov/office/oig/hq/audits.html.\n\n\n\nAcronyms\n\n[withheld per exemption (b)(5)]\nID            Identification\nIT            Information Technology\n[withheld per exemption (b)(5)]\nNPG           NASA Procedures and Guidelines\nOMB           Office of Management and Budget\n\n\n\n\n                                   [withheld per exemption (b)(5)]\n\x0c     W                                                                                  March 29, 2000\n\n\n\n     TO:           A/Administrator\n\n     FROM:         W/Inspector General\n\n     SUBJECT: INFORMATION: UNIX Operating System Security and Integrity\n              Report Number IG-00-024\n\n\n     The NASA Office of Inspector General has completed an audit of Unix Operating System\n     Security and Integrity [withheld per exemption (b)(5)] at Goddard Space Flight Center. We\n     found that the [withheld per exemption (b)(5)] did not have an adequate information\n     technology (IT) security program. [withheld per exemption (b)(5)]\n\n     Background\n\n     NASA uses the UNIX1 operating system2 in a variety of major, [withheld per exemption\n     (b)(5)] computing environments. One of NASA\'s major information systems that uses UNIX\n     is the [withheld per exemption (b)(5)] at Goddard Space Flight Center. [withheld per\n     exemption (b)(5)]\n\n     Recommendations\n\n     We recommended that the Director, Goddard Space Flight Center (1) improve personnel\n     screening, the process for granting access to computer systems, [withheld per exemption\n     (b)(5)], and protection of critical system files; (2) establish policies for privileged operations\n     and system backups; and (3) implement proactive security monitoring.\n\n     Management Response and OIG Evaluation\n\n     Goddard management agreed that it is important to implement proper controls to reasonably\n     assure system, program, and data security and integrity. However, Goddard has classified the\n     [withheld per exemption (b)(5)] as a [withheld per exemption (b)(5)] information system.\n     The Center has not yet completed its reassessment of whether certain [withheld per\n     exemption (b)(5)] should be classified as [withheld per exemption (b)(5)] information\n\n1\n    A powerful and complex operating system (further described in Appendix B).\n2\n    Software that manages the basic operations of a computer system (see Appendix B).\n\n\n                                          [withheld per exemption (b)(5)]\n\x0c                                                                                                2\n\n\nsystems which imposes a significant amount of additional security controls above those\ncurrently required.\n\nBased on our interpretation of NASA Procedures and Guidelines (NPG) 2810.1, "Security of\nInformation Technology," all [withheld per exemption (b)(5)] should be classified as\n[withheld per exemption (b)(5)] information systems. The NPG was issued 7 months ago,\nyet Goddard has not made a final decision on how to classify some of the [withheld per\nexemption (b)(5)].\n\nEven if we had applied the security criteria for [withheld per exemption (b)(5)] systems in\nperforming our audit of the security controls currently implemented, the systems would not\nhave met most of those criteria. While Goddard has agreed to at least full implementation of\nsecurity for the [withheld per exemption (b)(5)] at least at the level required for [withheld\nper exemption (b)(5)] systems, we still request Goddard to provide a specific response to\neach recommendation. A summary of the status of all the recommendations is in the\nExecutive Summary of the report.\n\n[original signed by]\nRoberta L. Gross\n\nEnclosure\nFinal Report on Audit of Unix Operating System Security\n and Integrity [withheld per exemption (b)(5)]\n at Goddard Space Flight Center\n\n\n\n\n                                [withheld per exemption (b)(5)]\n\x0c                            FINAL REPORT\nUNIX OPERATING SYSTEM SECURITY AND INTEGRITY [withheld per\n      exemption (b)(5)] AT GODDARD SPACE FLIGHT CENTER\n\n\n\n\n                    [withheld per exemption (b)(5)]\n\x0cW                                                                                March 29, 2000\n\n\n\nTO:            Y/Associate Administrator for Earth Science\n               Code 100/Director, Goddard Space Flight Center\n\nFROM:          W/Assistant Inspector General for Auditing\n\nSUBJECT:       Final Report on the Audit of Unix Operating System Security and Integrity\n               [withheld per exemption (b)(5)] at Goddard Space Flight Center\n               Assignment Number A9904000\n               Report Number IG-00-024\n\n\nThe subject final report is provided for your use and comment. Please refer to the Executive\nSummary for the overall audit results. Our evaluation of your response is incorporated into the\nbody of the report. Management provided an interim response and stated that they would provide\nmore specific information later. We request that management provide by April 28, 2000, the\nspecific corrective actions planned, ongoing, and completed or an estimated completion date.\nAlso, please notify us when action has been completed on the recommendations, including the\nextent of testing performed to ensure corrective actions are effective. All recommendations will\nremain open for reporting purposes.\n\nIf you have questions concerning the report, please contact Mr. Gregory B. Melson, Program\nDirector for Information Assurance Audits, at (202) 358-2588; Mr. Ernest L. Willard, Audit\nProgram Manager, at (650) 604-2676; or Mr. James W. Geith, Auditor-in-Charge, at (301) 286-\n7943. We appreciate the courtesies extended to the audit staff. The final report distribution is in\nAppendix E.\n\n\n[original signed by]\nRussell A. Rau\n\nEnclosure\n\ncc:\nAO/Chief Information Officer\n\n\n\n\n                                   [withheld per exemption (b)(5)]\n\x0c  Contents\n\nExecutive Summary, i\n\nIntroduction, 1\n\nFindings and Recommendations, 2\n\nFinding A., [withheld per exemption (b)(5)] 2\n\nFinding B. [withheld per exemption (b)(5)] Security Controls, 5\n\nFinding C. Protection of Critical Log, 6\n\nFinding D. Privileged Operations, 8\n\nFinding E. System Security Monitoring, 9\n\nFinding F. System Backup, 11\n\nAppendix A - Objectives, Scope, and Methodology, 13\n\nAppendix B - Glossary, 15\n\nAppendix C - Federal Guidance Related to Information Technology\n             Security, 16\n\nAppendix D - Management\'s Response, Error! Bookmark not defined.\n\nAppendix E - Report Distribution, 22\n\n\n\n\n                               [withheld per exemption (b)(5)]\n\x0c                                   NASA Office of Inspector General\n\n     IG-00-024                                                                               March 29, 2000\n      A9904000\n\n      UNIX Operating System Security and Integrity [withheld per exemption (b)(5)]\n                         at Goddard Space Flight Center\n\n                                             Executive Summary\n\nBackground. NASA uses the UNIX3 operating system4 in a variety of [withheld per\nexemption (b)(5)] computing environments. One of NASA\'s [withheld per exemption (b)(5)]\ninformation systems that uses UNIX is the [withheld per exemption (b)(5)] at Goddard Space\nFlight Center (Goddard). [withheld per exemption (b)(5)]5\n\nObjectives. The overall objective was to determine whether the [withheld per exemption\n(b)(5)] at Goddard has implemented controls at the host computer level to provide reasonable\nassurance of system, program, and data security and integrity. We reviewed the adequacy of\nbasic controls (physical security; system backups; system startup; default accounts; systems\nadministration; account security, and system security monitoring) for 2 [withheld per\nexemption (b)(5)] UNIX host6 computers in the [withheld per exemption (b)(5)]. Details of\nour objective, scope, and methodology are in Appendix A.\n\nAppendix B contains a glossary of terms used in this report.\n\nResults of Audit. The [withheld per exemption (b)(5)] did not have an adequate information\ntechnology (IT) security program. Specifically, Goddard management did not assign sufficient\npriority to IT security. Our detailed findings follow:\n\n\xe2\x80\xa2 [withheld per exemption (b)(5)]\n\n\xe2\x80\xa2 [withheld per exemption (b)(5)]\n\n\xe2\x80\xa2 [withheld per exemption (b)(5)]7\n\n\xe2\x80\xa2 [withheld per exemption (b)(5)]\n\n3\n    A powerful and complex operating system (further described in Appendix B).\n4\n    Software that manages the basic operations of a computer system (see Appendix B).\n5\n    [withheld per exemption (b)(5)]\n6\n A computer network interconnects many computer processors called hosts, each of which is capable of supplying\ncomputing services to network users. Each host computer contains an operating system that supports applications\nprocesses (see Appendix B).\n7\n    [withheld per exemption (b)(5)]\n\n                                          [withheld per exemption (b)(5)]\n\x0c\xe2\x80\xa2 Proactive security monitoring and reviewing were not being accomplished for the [withheld\n   per exemption (b)(5)] (Finding E). [withheld per exemption (b)(5)]\n\n\xe2\x80\xa2 System backup policies were inadequate, increasing the possibility that backup copies would\n   be unusable or unavailable when needed (Finding F).\n\nUnauthorized access to the [withheld per exemption (b)(5)] computers by a user who has other\nthan superuser privileges could result in loss of [withheld per exemption (b)(5)] support and\nthe loss of [withheld per exemption (b)(5)] some data. Unauthorized access with superuser\nprivileges would give the user complete control of the computer system and could result in\ncatastrophic loss of services.\n\nGoddard personnel took prompt corrective action on a number of these deficiencies.\n\nRecommendations. Goddard management should improve personnel screening, the process for\ngranting access to computer systems, [withheld per exemption (b)(5)], and protection of\ncritical system files; establish policies for privileged operations and system backups; and\nimplement proactive security monitoring.\n\nManagement\'s Response. Although management fully concurred in principle with the\nimportance of implementing and maintaining proper security controls, management did not\nprovide planned corrective actions for each recommendation. Also, Goddard has not yet made\nits reassessment of whether certain [withheld per exemption (b)(5)] centers, [withheld per\nexemption (b)(5)] should be classified as [withheld per exemption (b)(5)] information\nsystems or as [withheld per exemption (b)(5)] information systems.\n\nEvaluation of Response. We consider all recommendations unresolved and open. In response\nto the final report, we request additional comments that specify planned corrective actions.\n\n\n\n\n                                               ii\n                                 [withheld per exemption (b)(5)]\n\x0cIntroduction\n\nNASA stores [withheld per exemption (b)(5)] information as both data and programs on many\nUNIX-based computers in data centers and user-controlled areas. Because NASA used UNIX in\n[withheld per exemption (b)(5)] computing environments, it must be subject to IT security\nrequirements to ensure that data and programs are protected from unauthorized or accidental\nmodification, damage, destruction, or disclosure. UNIX is an extraordinarily complex operating\nsystem. Many vendors have developed their own versions of the UNIX operating system and\nhardware. [withheld per exemption (b)(5)]\n\n[paragraph withheld per exemption (b)(5)]\n\nThe [withheld per exemption (b)(5)] perform the system administration responsibilities for the\n[withheld per exemption (b)(5)] computer systems. (The terms [withheld per exemption\n(b)(5)] and system administrators are interchangeable for the purposes of this report.)\n\nUNIX systems are favorite targets of hackers. Without adequate UNIX security controls, the\n[withheld per exemption (b)(5)] IT systems could be compromised by an unauthorized source.\n\n\n\n\n                                 [withheld per exemption (b)(5)]\n\x0cFindings and Recommendations\n\n\nFinding A. [withheld per exemption (b)(5)]\n[paragraph withheld per exemption (b)(5)]\n\nFederal and NASA Policies and Procedures on Personnel Screening\n\nOffice of Management and Budget (OMB) Circular No. A-130, "Management of Federal\nInformation Resources," February 8, 1996, requires that individuals who are authorized to bypass\nsignificant technical and operational security controls of a system must be screened both before\nbeing authorized to bypass controls and periodically thereafter.\n\nNASA Procedures and Guidelines (NPG) 1620.1, " Security Procedures and Guidelines,"\nNovember 18, 1999, requires a National Agency Check8 for civil service and contractor\npersonnel who require access to IT systems that process sensitive information.\n\nNPG 2810.1, "Security of Information Technology," August 26, 1999, requires that individuals\nwho are authorized to bypass significant technical and operational security controls of a system\nmust be screened before being granted access.\n\nFederal and NASA Policies and Procedures on Access Authorization\n\nOMB Circular A-130 and NPG 2810.1, require that individuals be granted the minimum\nprivileges necessary to accomplish their tasks.\n\nNPG 2810.1 requires that system administrators grant accounts only to individuals who\nhave had the appropriate personnel screening. The NPG also requires that system\nadministrators receive an Account Request Document approved by a Government\nmanagement official responsible for the individual before the system administrators grant\nthe individual access to a computer system. The Account Request Document must\ncontain a statement indicating that the requestor acknowledges an understanding of and\nintention to comply with a statement concerning user responsibilities, possible\nmonitoring of their computer use, and that failure to abide by the provisions may\nconstitute grounds for administrative action and/or civil or criminal prosecution. (See\nAppendix C for further details on Federal and NASA IT security requirements.)\n\nAccess Authorization\n\nBefore a system administrator can give someone an account on an information system that\nprocesses sensitive information, three things must occur.\n\n\n8\n    See Appendix C, under Personnel Screening, for a description of a National Agency Check.\n\n\n\n                                                         2\n                                          [withheld per exemption (b)(5)]\n\x0c\xe2\x80\xa2     First, the Center must conduct a personnel screening to determine whether the individual is\n      eligible to be issued an account. The level of screening that is required depends on which\n      access privileges the individual needs to perform his or her job and the nature of the\n      information that the individual uses.\n\n\xe2\x80\xa2     Second, an Account Request Document must be prepared. The document includes:\n      identification information for the requester; the requester\'s citizenship; the system or group of\n      systems for which an account is being requested, the level of user privileges afforded to the\n      account, the requester\'s signature, and the date the requester acknowledges an understanding\n      of and intention to comply with the rules and conditions associated with having an account.\n\n\xe2\x80\xa2     Third, a Government management official or a Government designee responsible for the\n      individual must approve the request.\n\nPersonnel Screening\n\nGoddard had not performed the National Agency Checks required by NPG 1620.1 on 16 of the\n20 contractor personnel who have access to [withheld per exemption (b)(5)] computer systems,\nincluding one system administrator for the [withheld per exemption (b)(5)]. System\nadministrators have the authority to bypass significant technical and operational security controls\nof a system. The other personnel had access to sensitive information [withheld per exemption\n(b)(5)]. The screenings were not performed because Goddard\'s policy was to not perform\npersonnel screenings solely for granting access to IT systems. This policy did not comply with\nFederal and NASA policy.\n\nThe failure to conduct personnel screenings degraded the information technology security\nenvironment and increased the possibility of unauthorized access and misuse of Government\nresources and information that could result in the loss of [withheld per exemption (b)(5)].\n\nAccess Authorization Procedures\n\n[paragraph withheld per exemption (b)(5)]\n\n[withheld per exemption (b)(5)] The General Accounting Office also identified that NASA\nwas not providing required security training in an audit report titled "Information Security, Many\nNASA Mission Critical-Systems Face Serious Risks," Report Number GAO/AIM-99-47, dated\nMay 1999. [withheld per exemption (b)(5)]\n\n[withheld per exemption (b)(5)]9\n\nAcknowledgement of User Responsibilities\n\n\n\n9\n    [withheld per exemption (b)(5)]\n\n\n                                                    3\n                                      [withheld per exemption (b)(5)]\n\x0cUsers were not required to sign a statement acknowledging their security responsibilities or that\nthat their use of Government computer systems was subject to monitoring and that unauthorized\nuse could result in administrative action and/or civil or criminal prosecution. Although the\nstatement is required by NPG 2810.1, the [withheld per exemption (b)(5)] contractor had not\nestablished procedures for authorizing access to the [withheld per exemption (b)(5)] computer\nsystems.\n\nThe failure to have users sign an acknowledgment of their responsibilities degraded information\ntechnology security. The failure to have users acknowledge the fact that their use of Government\nsystems is subject to monitoring can impede the investigation of unauthorized use of computer\nsystems and reduce the Government\'s ability to prosecute misuse in the civil and criminal courts.\n\nShortly after we notified them during the audit, the system administrators started correcting these\nproblems by establishing account access procedures. All [withheld per exemption (b)(5)]\npersonnel have now signed Account Request Forms acknowledging: (1) their responsibilities, (2)\nthat their use of Government computer systems is subject to monitoring, and (3) that\nunauthorized use can result in administrative action and/or civil or criminal prosecution.\n\n\nRecommendations, Management\'s Response, and Evaluation of Response\nThe Director, Goddard Space Flight Center, should:\n\n       1. Direct the Center Chief of Security to change the Goddard policy on performing\n          personnel screenings to comply with Federal and NASA directives.\n\n       2. Direct the Center Chief of Security, Center Information Technology Security\n          Manager, and the [withheld per exemption (b)(5)] to take immediate\n          action to perform the required personnel screenings.\n\n       3. [withheld per exemption (b)(5)]\n\nManagement\'s Response. Management concurred with the importance of implementing proper\ncontrols, but did not provide specific comments on the recommendations. The complete text of\nmanagement\'s response in Appendix D.\n\nEvaluation of Management\'s Response. We request that the Director, Goddard Space Flight\nCenter, provide additional comments on the recommendations including specific planned\nactions.\n\n\n\n\n                                                 4\n                                   [withheld per exemption (b)(5)]\n\x0cFinding B. [withheld per exemption (b)(5)] Security Controls\n[section withheld per exemption (b)(5)]1011\n\n\n\n\n10\n     [withheld per exemption (b)(5)]\n11\n     [withheld per exemption (b)(5)]\n\n\n                                                     5\n                                       [withheld per exemption (b)(5)]\n\x0cFinding C. Protection of Critical Log\nThe [withheld per exemption (b)(5)] system administrators did not save to a secure secondary\nlocation an automated log, which is critical to monitoring unauthorized access. This condition\nexisted because system administrators believed the system was secure and that protecting the log\nentries was not necessary. [withheld per exemption (b)(5)]\n\nAgency Policy Related to Audit Trails\n\nNPG 2810.1 requires, as part of the minimum IT security requirements, that NASA systems\nprovide \xe2\x80\x9c . . . audit trails or a journal of security-relevant events\xe2\x80\x9d (see Appendix C). The NPG\ndefines an audit trail as a chronological record of computer activities and states that an audit trail\n" . . . should be sufficient to enable the reconstruction and examination of a sequence of events,\nenvironments, activities, procedures, or operations from inception to final result.\xe2\x80\x9d The NPG\nrequires that these journals for mission information systems be kept for 12 months.\n\nOne Audit Trail\n\n[section withheld per exemption (b)(5)].\n\n\n\n\n                                                  6\n                                    [withheld per exemption (b)(5)]\n\x0cRecommendation, Management\'s Response, and Evaluation of Response\n7. [withheld per exemption (b)(5)].\n\nManagement\'s Response. Management did not provide specific comments on this\nrecommendation (see Appendix D).\n\nEvaluation of Management\'s Response. We request that management provide additional\ncomments on this recommendation that specify planned corrective actions.\n\n\n\n\n                                                7\n                                  [withheld per exemption (b)(5)]\n\x0cFinding D. Privileged Operations\n\n[section withheld per exemption (b)(5)]12\n\n\n\n\n12\n     [withheld per exemption (b)(5)]\n\n\n                                                     8\n                                       [withheld per exemption (b)(5)]\n\x0cFinding E. System Security Monitoring\n[paragraph withheld per exemption (b)(5)]\n\nNASA Policies and Procedures\n\nFor [withheld per exemption (b)(5)] systems, NPG 2810.1 requires that management\nimplement a process that accomplishes the following:\n\n\xe2\x80\xa2 Ensures the system journal records security-related events.\n\n\xe2\x80\xa2 Reviews journals daily or when problems are suspected.\n\n\xe2\x80\xa2 Records successful and failed logons and logoffs.\n\n\xe2\x80\xa2 Records all successful and failed file openings and closings.\n\n\xe2\x80\xa2 Records all file creation/modification/deletion events.\n\n\xe2\x80\xa2 Ensures that journals identify programs being executed, users, source device files, and the\n      time, date, and success or failure of all access attempts.\n\nAdditionally, the NPG requires that each system \xe2\x80\x9c . . . have a System Administrator who will\nensure that the protective security measures of the system are functional and who will maintain\nits security posture.\xe2\x80\x9d The system administrator\'s responsibilities include:\n\n\xe2\x80\xa2 Using IT security tools to assist in detecting modifications to the system and monitoring audit\n      logs.\n\n\xe2\x80\xa2 Ensuring that security controls are in place and functioning.\nLogging and Review of System Activity\n\n[withheld per exemption (b)(5)]13\n\nTools such as UNIX accounting utilities and third-party software are available to assist and\nenhance security monitoring. [withheld per exemption (b)(5)]\n\nRecommendation, Management\'s Response, and Evaluation of Response\n\n\n13\n     [withheld per exemption (b)(5)]\n\n\n                                                     9\n                                       [withheld per exemption (b)(5)]\n\x0c9. The Director, Goddard Space Flight Center, should direct the [withheld per exemption\n(b)(5)] to record and review system events as required by NPG 2810.1.\n\nManagement\'s Response. Management did not provide specific comments on this\nrecommendation (Appendix D).\n\nEvaluation of Management\'s Response. We request that the Director, Goddard Space Flight\nCenter, provide specific planned actions on the recommendation in response to the final report.\n\n\n\n\n                                                10\n                                  [withheld per exemption (b)(5)]\n\x0cFinding F. System Backup\nThe system administrators had not developed management-approved policies covering backups\nof the operating systems, applications, and other information on the [withheld per exemption\n(b)(5)] host computers. This occurred because Goddard management had not complied with\nAgency IT security policies. As a result, restoration of the operating system from the backup\ncopies may take longer than necessary. Further, it may not be possible to restore an\nuncompromised version of the operating system from the backup copies, if the system is\ncompromised.\n\nNASA Policy Regarding System Backup\n\nNPG 2810.1 requires that management implement a process for systems that:\n\n\xe2\x80\xa2      Retains journals14 at least 1 year.\n\n\xe2\x80\xa2      Backs up the operating systems at least monthly and when modified.\n\n\xe2\x80\xa2      Retains operating system backups for at least 1 year.\n\n\xe2\x80\xa2      Stores in an external location the most recent backup copies or backup copies made\n       immediately before the most recent.\n\nBackup Operations\n\nDaily and weekly backups of the [withheld per exemption (b)(5)] host computers were being\nmade to hard drives on other computers in the [withheld per exemption (b)(5)]. Monthly\nbackups of one of the two host computers that we reviewed were being made to tapes that were\nstored in the [withheld per exemption (b)(5)]. However, there was only one backup copy. The\nsystem administrators used the same set of tapes each month. As a result, the system journals\nand backup copies were not retained for at least 1 year as required.\n\nBecause there was only a single copy of the backup tapes, there was no off-site storage of a\nbackup copy of the operating system and journals. However, the [withheld per exemption\n(b)(5)] had a copy of the operating system and application software that the system\nadministrators could use to rebuild the computer systems.\n\nThe [withheld per exemption (b)(5)] contractor had no policies for testing the backups to\nensure they are useable. Having backup copies is not sufficient to ensure that a system can be\nrestored if necessary. Backup copies must be tested periodically to determine they are actually\nuseable.\n\n\n\n14\n     The journals contain the security-related events and other events described in Finding E.\n\n\n\n                                                            11\n                                            [withheld per exemption (b)(5)]\n\x0cThese conditions existed because Goddard management had not given adequate priority to IT\nsecurity and had not ensured that the [withheld per exemption (b)(5)] developed and\nimplemented policies for system backup that comply with Agency policy.\n\nPotential Impact\n\nThe lack of adequate backup copies of the operating system could delay restoration of the\n[withheld per exemption (b)(5)] systems in the event of an emergency that made the [withheld\nper exemption (b)(5)] unusable. If computer hackers compromise the operating systems, the\nlack of a series of backups makes it more difficult to restore a version of the operating system\nthat has not been compromised and to investigate the compromise.\n\nAs a result of our audit, the [withheld per exemption (b)(5)] system administrators\nimplemented a weekly backup on the [withheld per exemption (b)(5)] computers. This process\nprovides off-site storage for a backup copy of the system software. In addition, the system\nadministrators created formal procedures for backup operations including semiannual testing of\nthe data.\n\nRecommendation, Management\'s Response, and Evaluation of Response\n\n10. The Director, Goddard Space Flight Center, should direct the [withheld per exemption\n(b)(5)] to develop and implement adequate policies for backups of the [withheld per\nexemption (b)(5)] operating systems.\n\nManagement\'s Response. Management did not provide specific comments on this\nrecommendation (see Appendix D).\n\nEvaluation of Management\'s Response. We request that the Director, Goddard Space Flight\nCenter, provide specific planned actions on the recommendation in response to the final report.\n\n\n\n\n                                                12\n                                  [withheld per exemption (b)(5)]\n\x0c                 Appendix A. Objectives, Scope, and Methodology\n\n\nObjectives\n\nThe overall objective was to determine whether the [withheld per exemption (b)(5)] at\nGoddard has implemented controls at the host computer level to provide reasonable assurance of\nsystem, program, and data security and integrity. We reviewed selected UNIX hosts in the\n[withheld per exemption (b)(5)] for basic controls (physical security, system backups, system\nstartup, default accounts, systems administration, account security, and audit and monitoring).\n\nScope and Methodology\n\nWe performed work at Goddard by reviewing 2 [withheld per exemption (b)(5)] UNIX host\ncomputers, [withheld per exemption (b)(5)]. We selected these computers because they\nsupported information systems that Goddard had designated as [withheld per exemption\n(b)(5)]. During the audit field work, we reviewed the following:\n\n\xe2\x80\xa2 General Accounting Office reports related to NASA IT Security.\n\n\xe2\x80\xa2 Federal and NASA directives (listed in Appendix C) governing the management and use of\n   information systems.\n\n\xe2\x80\xa2 Goddard policies and procedures applicable to the [withheld per exemption (b)(5)].\n\n\xe2\x80\xa2 Physical access security for the hosts.\n\n\xe2\x80\xa2 [withheld per exemption (b)(5)] policies, procedures, and practices for system backup.\n\n\xe2\x80\xa2 System startup and shutdown procedures and permissions and contents of startup files.\n\n\xe2\x80\xa2 Default passwords to determine whether they had been changed.\n\n\xe2\x80\xa2 Responsibilities of system administrators.\n\n\xe2\x80\xa2 Security controls for user and root logons.\n\n\xe2\x80\xa2 Account security, including password security controls.\n\n\xe2\x80\xa2 System security monitoring functions.\n\n\n\n\n                                                13\n                                  [withheld per exemption (b)(5)]\n\x0c                                                                                 Appendix A\n\n\nWe also:\n\n\xe2\x80\xa2 Interviewed Goddard civil service and [withheld per exemption (b)(5)] personnel to\n   identify policies and procedures relating to UNIX security.\n\n\xe2\x80\xa2 Utilized various resources for reference information [withheld per exemption (b)(5)] for\n   UNIX security guidelines.\n\nOur audit procedures are not intended to address audit coverage of all potential security\nweaknesses, or to provide an opinion on the overall security of the [withheld per exemption\n(b)(5)] infrastructure. [withheld per exemption (b)(5)]\n\nManagement Controls Reviewed\n\nWe reviewed Federal and NASA policies and procedures relating to [withheld per exemption\n(b)(5)] control and management to determine whether the policies and procedures for UNIX\nsecurity were adequate. We identified the weaknesses discussed in the Findings section of the\nreport.\n\nPrior Audit Coverage\n\nThe General Accounting Office issued an audit report titled "Information Security, Many NASA\nMission Critical-Systems Face Serious Risks," Report Number GAO/AIM-99-47, May 1999.\n\nAudit Field Work\n\nWe performed field work from July 1999 through February 2000 at Goddard. We performed the\naudit in accordance with generally accepted government auditing standards.\n\n\n\n\n                                                14\n                                  [withheld per exemption (b)(5)]\n\x0c                                   Appendix B. Glossary\n\n\nConsole. The combination of display monitor and keyboard (or other device that allows input).\nAnother term for console is terminal. The term console usually refers to a terminal attached to a\nminicomputer or mainframe and used to monitor the status of the system.\n\nHost. A computer network interconnects many computer processors called hosts; each is\ncapable of supplying computing services to network users. Each host computer contains an\noperating system that supports applications processes.\n\nLog in. The identification and authentication sequence that authorizes a user\xe2\x80\x99s access to a\ncomputer. Conversely, \xe2\x80\x9clog out\xe2\x80\x9d is the sequence that terminates user access to the system.\n\n[Paragraph withheld per exemption (b)(5)]\n\nOperating System. Software that manages the basic operations of a computer system. The\nsoftware calculates how the computer main memory will be apportioned, how and in what order\nto handle tasks assigned to it, how to manage the flow of information into and out of the main\nprocessor, how to send material to the printer for printing and to the screen for viewing, how to\nreceive information from the keyboard, etc. In short, the operating system handles the\ncomputer\xe2\x80\x99s basic housekeeping. MS-DOS, UNIX, and Windows NT are a few examples of\noperating systems.\n\nSuperuser. A user who is granted special privileges if the correct password is supplied when\nlogging in. The user name for this account is normally \xe2\x80\x9croot." A user must be \xe2\x80\x9croot\xe2\x80\x9d to perform\nmany system administration tasks, such as changing ownership and permissions for a file or\ndirectory that the user does not own.\n\nUNIX. An immensely powerful and complex operating system. UNIX provides multi-tasking,\nmulti-user capabilities that allow both multiple programs to be run simultaneously and multiple\nusers to use a single computer. On a single-user system, such as MS-DOS, only one person at a\ntime, on an individual task basis, can use a computer\xe2\x80\x99s files, programs, and other resources.\nUNIX works on many different computers. This means you can often take applications software\nthat runs on UNIX and move it \xe2\x80\x93 with little changing \xe2\x80\x93 to a bigger, different computer or to a\nsmaller computer. This process of moving programs to other computers is known as \xe2\x80\x9cporting.\xe2\x80\x9d\nToday, the UNIX operating system is available on a wide range of hardware, from small\npersonal computers to the most powerful mainframes, from a multitude of hardware and software\nvendors.\n\nUser ID. User identification. A unique character string used in a computer to identify a user.\n\n\n\n\n                                                 15\n                                   [withheld per exemption (b)(5)]\n\x0c Appendix C. Federal Guidance Related to Information Technology Security\n\n\nOMB Circular No. A-130, "Management of Federal Information Resources." Circular No.\nA-130 provides uniform Government-wide information resources management policies.\nAppendix III of the Circular establishes a minimum set of controls to be included in Federal\nautomated information security programs.\n\nNPG 1620.1, "Security Procedures and Guidelines." NPG 1620.1 "provides internal\nguidelines and procedures to assist NASA Centers in complying with the minimum standards,\nrequirements, and specifications for the protection of personnel, sensitive unclassified/classified\ninformation, material, facilities, and resources in the possession of NASA, as well as the basic\ninformation regarding the assignment of management responsibilities."\n\nNPG 2810.1, \xe2\x80\x9cSecurity of Information Technology.\xe2\x80\x9d NPG 2810.1 cancels NASA Automated\nInformation Security Handbook (NHB 2410.9A), dated June 1993, and became effective on\nAugust 26, 1999. NPG 2810.1\n\n               . . . describes the NASA IT Security Program, providing direction designed to\n               ensure that safeguards for the protection of the integrity, availability, and\n               confidentiality of IT resources (e.g., data, information, applications, and\n               systems) are integrated into and support the missions of NASA. . . . NASA\xe2\x80\x99s IT\n               Security Program is a set of policies, procedures, and guidance for ensuring the\n               security of the Agency\xe2\x80\x99s IT resources.\n\nAppendix A of NPG 2810.1, \xe2\x80\x9cBaseline IT Security Requirements,\xe2\x80\x9d lists \xe2\x80\x9c . . . the minimum\ntechnical, procedural, and physical IT security requirements for protecting NASA\xe2\x80\x99s IT\nresources.\xe2\x80\x9d Appendix A, Section A.6.1 of NPG 2810.1, \xe2\x80\x9cOperating System Integrity,\xe2\x80\x9d\n\xe2\x80\x9c . . . describes the requirements for ensuring operating system integrity on NASA multi-user\ncomputers.\xe2\x80\x9d\n\nPersonnel Screening\n\nOMB Circular No. A-130, Appendix III, paragraph A.3.a.(2).(c), requires screening for\nindividuals who are authorized to bypass significant technical and operational security controls\nof a system commensurate with the risk and magnitude of harm they could cause. Such\nscreening shall occur prior to an individual being authorized to bypass controls and periodically\nthereafter. Paragraph A.3.b.(2).(c), requires that\n\n               . . . controls such as separation of duties, least privilege and individual\n               accountability be incorporated in major applications and application rules. . . .\n               Least privilege is the practice of restricting a user\'s access (to data files, to\n               processing capability, or to peripherals) or type of access (read, write, execute,\n               delete) to the minimum necessary to perform his or her job.\n\n\n\nAppendix C\n\n\n                                                      16\n                                       [withheld per exemption (b)(5)]\n\x0cWhere such controls ". . . cannot adequately protect the application or information in it, screen\nindividuals commensurate with the risk and magnitude of the harm they could cause."\n\nNPG 1620.1, paragraph 3.2.2, requires a National Agency Check for civil service and contractor\npersonnel who require access to IT systems that process sensitive information in compliance\nwith Appendix III of OMB Circular No. A-130. The National Agency Check consists of a\nreview of:\n\n       a. Investigative and criminal history files of the Federal Bureau of Investigation,\n          including a technical fingerprint search;\n\n       b. Office of Personnel Management Security/Suitability Investigations Index;\n\n       c. Department of Defense\'s Defense Clearance and Investigations Index; and\n\n       d. Such other national agencies (for example, Central Intelligence Agency, Immigration\n          and Naturalization Service) as appropriate to the individual\xe2\x80\x99s background.\n\nNPG 2810.1, paragraph 2.2.8.2.c, requires that system administrators grant accounts only to\nindividuals who have had the appropriate personnel screening. Paragraph 4.5.1.2, states,\n\n               Some positions require special access privileges in order to do the assigned job\n               or duties. These are "Public Trust" positions since they can affect the integrity,\n               efficiency, or effectiveness of the system to which they have been granted\n               privileged access. Screening for suitability, prior to being granted access, is\n               required.\n\nParagraph 4.5.3.1.a, states, "Privileged access -- Can bypass, modify, or disable the technical and\noperational security controls."\n\n[withheld per exemption (b)(5)]Security\n\n[section withheld per exemption (b)(5)]\n\n                                                                                                    Appendix C\n\n\nIndividual Accountability and Controlled Access Protection\n\nOMB Circular A-130, Appendix III, paragraph B.a.(c), states:\n\n               Individual accountability consists of holding someone responsible for his or her\n               actions. In a general support system, accountability is normally accomplished\n               by identifying and authenticating users of the system and subsequently tracing\n               actions on the system to the user who initiated them.\n\nNPG 2810.1, paragraph A.6.4.3, \xe2\x80\x9cControlled Access Protection,\xe2\x80\x9d states:\n\n                                                       17\n                                       [withheld per exemption (b)(5)]\n\x0c               Controlled access protection is the ability of the system to control the\n               circumstances under which users have access to resources. Management will\n               ensure that all systems that are accessed by more than one user will provide the\n               following controlled access protection when those users do not have the same\n               authorization to use all of the information on the system:\n\n               \xe2\x80\xa2   Provides individual electronic accountability through identification and\n                   authentication of each system user.\n\n\n               \xe2\x80\xa2   Provides audit trails or a journal of security-relevant events.\n\nSecurity Monitoring\n\nNPG 2810.1, paragraph 2.2.8.1, states "Each system will have a System Administrator who will\nensure that the protective security measures of the system are functional and who will maintain\nits security posture."\n\nParagraph 2.2.8.2 of NPG 2810.1 provides a list of security responsibilities. The responsibilities\ninclude:\n\n\xe2\x80\xa2   Periodically using tools to verify and/or monitor compliance to password guidelines.\n\n\xe2\x80\xa2   Using IT security tools to assist in detecting modifications to the system and monitoring audit\n    logs.\n\n\xe2\x80\xa2   Ensuring that security controls are in place and functioning.\n\nThe [withheld per exemption (b)(5)] host computers have the ability to record (in journals)\nimportant system events. These journals can be used as an audit trail to investigate system or\nsecurity problems. NPG 2810.1, Appendix A, paragraph A.6.1.3, states:\n\n\n\n\n                                                       18\n                                       [withheld per exemption (b)(5)]\n\x0cAppendix C\n\n\n              Management will implement a process that accomplishes the following (for\n              Mission Information systems):\n\n              \xe2\x80\xa2   Ensures system journals record security-related events.\n\n\n              \xe2\x80\xa2   Reviews journals daily or when problems are suspected.\n\n\n              \xe2\x80\xa2   Records successful and failed logons/logoffs.\n\n\n              \xe2\x80\xa2   Records all successful and failed file opens and closes.\n\n\n              \xe2\x80\xa2   Records all file creation/modification/deletion events.\n\n\n              \xe2\x80\xa2   Ensures journals identify programs being executed, users, source devices,\n                  files, and the time, date, and success or failure of all access attempts.\n\nSystem Backup\n\nNPG 2810.1, Appendix A, paragraph A.6.1.4, states:\n\n             To ensure continuity of operation, copies of important software and data will be\n             made and retained. NASA Internet server log files shall be processed according\n             to the NASA records retention procedure. (See NPG 1441.1C, Records\n             Retention Schedules, for retention requirements and procedures.) Management\n             will implement a process that accomplishes the following (for Mission\n             Information systems):\n\n              \xe2\x80\xa2   Retains journals at least 1 year or 3 generations (whichever is longer)\n\n\n              \xe2\x80\xa2   Backs up the operating systems and key system services at least monthly\n                  and when modified\n\n\n              \xe2\x80\xa2   Retains operating system backups for at least 1 year\n\n\n              \xe2\x80\xa2   Stores the most recent or most recent minus one backup external to the\n                  Center\n\n\n\n\n                                                     19\n                                     [withheld per exemption (b)(5)]\n\x0cAppendix D. Management\'s Response\n\n\n\n\n                    20\n      [withheld per exemption (b)(5)]\n\x0cAppendix D\n\n\n\n\n                           21\n             [withheld per exemption (b)(5)]\n\x0c                          Appendix E. Report Distribution\n\n\n\nNational Aeronautics and Space Administration (NASA) Headquarters\n\nA/Administrator\nAI/Associate Deputy Administrator\nAO/Chief Information Officer\nJ/Associate Administrator for Management Systems\nL/Associate Administrator for Legislative Affairs\nQ/Associate Administrator for Safety and Mission Assurance\nY/Associate Administrator for Earth Science\n\nNASA Center\n\n100/Director, Goddard Space Flight Center\n\n\n\n\n                                              22\n                                [withheld per exemption (b)(5)]\n\x0c                       NASA Assistant Inspector General for Auditing\n                                      Reader Survey\n\nThe NASA Office of Inspector General has a continuing interest in improving the usefulness of\nour reports. We wish to make our reports responsive to our customers\xe2\x80\x99 interests, consistent with\nour statutory responsibility. Could you help us by completing our reader survey? For your\nconvenience, the questionnaire can be completed electronically through our homepage at\nhttp://www.hq.nasa.gov/office/oig/hq/audits.html or can be mailed to the Assistant Inspector\nGeneral for Auditing; NASA Headquarters, Code W, Washington, DC 20546-0001.\n\n\nReport Title: Unix Operating System Security and Integrity [withheld per exemption (b)(5)]\n              at Goddard Space Flight Center\n\nReport Number:                                         Report Date:\n\n\nCircle the appropriate rating for the following statements.\n\n                                                      Strongly                                Strongly\n                                                       Agree     Agree   Neutral   Disagree   Disagree   N/A\n\n1.   The report was clear, readable, and logically       5         4       3          2          1       N/A\n     organized.\n2.   The report was concise and to the point.            5         4       3          2          1       N/A\n3.   We effectively communicated the audit               5         4       3          2          1       N/A\n     objectives, scope, and methodology.\n4.   The report contained sufficient information to      5         4       3          2          1       N/A\n     support the finding(s) in a balanced and\n     objective manner.\n\nOverall, how would you rate the report?\n      Excellent              Fair\n      Very Good              Poor\n      Good\nIf you have any additional comments or wish to elaborate on any of the above responses,\nplease write them here. Use additional paper if necessary.\n\x0cHow did you use the report?\n\n\n\n\nHow could we improve our report?\n\n\n\n\nHow would you identify yourself? (Select one)\n\n       Congressional Staff                      Media\n       NASA Employee                            Public Interest\n       Private Citizen                          Other:\n       Government:            Federal:             State:         Local:\n\n\nMay we contact you about your comments?\n\nYes: ______                                 No: ______\nName: ____________________________\nTelephone: ________________________\n\n\nThank you for your cooperation in completing this survey.\n\x0cMajor Contributors to this Report\n\nGregory B. Melson, Program Director for Information Assurance Audits\n\nErnest L. Willard, Audit Program Manager\n\nJames W. Geith, Auditor-in-Charge\n\nPat Reid, Program Assistant\n\n\n\n\n                              [withheld per exemption (b)(5)]\n\x0c'